How to Talk to Your Insurance Company About Cyber Coverage

Cyber insurance isn't optional anymore — but most policies aren't what you think

The global cyber insurance market hit $14 billion in gross written premiums in 2024, according to Munich Re's Cyber Risk and Insurance Survey. By 2027, they project it'll reach $29 billion. That growth isn't driven by companies proactively buying coverage — it's driven by the volume and cost of claims forcing the issue.

Here's the problem: most business owners buy cyber insurance the same way they buy general liability. They ask their broker for a policy, sign it, file it away, and assume they're covered. Then something happens — a ransomware attack, a compromised vendor, an employee clicking a deepfake voice phishing link — and they discover the policy has exclusions that functionally void coverage for their exact scenario.

This article is about having the right conversation with your insurer before you need to file a claim. Because cyber insurance isn't a checkbox. It's a contract. And the details in that contract are the only things that matter when you're staring at a six-figure incident response bill.

What cyber insurance actually covers

Cyber insurance policies typically fall into two categories: first-party coverage and third-party coverage.

First-party coverage pays for your direct losses. This includes incident response costs (forensics, legal counsel, breach notification), business interruption from system downtime, data recovery, and in some policies, ransomware payments. It covers what happens to your company.

Third-party coverage pays for claims against you. If a breach exposes customer data and you face lawsuits, regulatory fines, or contractual liability from affected partners, third-party coverage handles the defense costs and settlements. It covers what happens because of your company.

Some policies bundle both. Some sell them separately. The distinction matters because most SMBs focus on first-party coverage — "will they pay if we get hacked?" — and overlook third-party exposure, which is often where the larger financial damage lands. The Ponemon Institute's 2024 Cost of a Data Breach Report found that the average breach cost for companies under 500 employees was $3.31 million, with regulatory and legal costs accounting for 38% of that total.

The exclusions that show up after a claim

Every cyber insurance policy has exclusions. Most of them are reasonable on their face. In practice, they create gaps wide enough to void entire claims. These are the ones that catch businesses most often:

Acts of war and nation-state attacks. Nearly every cyber policy excludes losses from "acts of war." This used to be theoretical. It isn't anymore. In 2022, Merck's insurer — Ace American Insurance — denied a $1.4 billion claim related to the NotPetya attack on the grounds that it was a Russian state-sponsored act of war. Merck ultimately won after years of litigation, but the legal precedent is still evolving. If a nation-state-linked group deploys ransomware against your company, your insurer may invoke this exclusion. Lloyd's of London issued guidance in 2023 requiring all cyber policies to include explicit state-backed attack exclusions.

Failure to maintain minimum security controls. Most modern cyber policies include a "security requirements" section that lists controls you must have in place for coverage to apply. Common requirements: multi-factor authentication on all remote access, endpoint detection and response software on all devices, regular patching within specified timeframes (often 30 days for critical vulnerabilities), encrypted backups stored offline. If you suffer a breach and the insurer's forensic review finds that you didn't have MFA on your VPN, or your systems were running unpatched software with known CVEs, the claim can be denied. This isn't hypothetical — it's the most common reason for claim denial according to Coalition's 2024 Cyber Claims Report.

Social engineering and voluntary transfer of funds. This is the exclusion that's becoming most relevant in 2026. Standard cyber policies cover unauthorized access — someone breaking into your systems. They often do not cover situations where an employee voluntarily transfers funds based on a fraudulent communication. Business email compromise (BEC) schemes, deepfake voice calls impersonating executives, and AI-generated video calls directing wire transfers — these all fall into a gray area. Some policies offer "social engineering" riders for additional premium. Without that rider, if your controller wires $200,000 to what they believe is a vendor's updated bank account, you may have no coverage.

Prior known incidents. If you had a security incident before the policy inception date that you didn't disclose, and that incident is related to a later claim, coverage can be voided retroactively. This includes ongoing breaches you didn't know about — the average dwell time for an undetected breach is still 204 days according to IBM's 2024 data. If the breach started before your policy did, even if you discovered it after, the insurer may deny the claim.

What insurers ask — and why it matters

The application process for cyber insurance has changed significantly in the last three years. In 2021, many insurers issued policies based on a short questionnaire. Now, the underwriting process for policies above $1 million in coverage typically includes detailed technical assessments.

Expect questions about:

• MFA deployment — specifically where it's implemented (email, VPN, admin consoles, cloud services) and whether it's enforced or optional
• Backup architecture — whether backups exist, how often they run, whether they're tested, and critically, whether they're air-gapped or immutable
• Patch management cadence — how quickly you apply critical patches, whether you have a documented process, and how you track compliance
• Employee security training — whether you conduct phishing simulations, how often, and what the click-through rates are
• Incident response planning — whether you have a written plan, when it was last tested, and who your designated incident response provider is
• Third-party vendor management — how you assess the security posture of vendors who access your systems or data

These aren't idle questions. Your answers become part of the policy contract. If you state on the application that you enforce MFA on all remote access and it turns out you don't, that's a material misrepresentation — and it gives the insurer grounds to rescind the entire policy.

Answer accurately. If a control isn't fully deployed, say so. It's better to get a policy with a documented gap (and potentially a higher premium or lower sublimit) than to get a policy based on inaccurate representations that won't pay when you need it.

I covered the foundational controls insurers expect in five cybersecurity things every business should do first. If you haven't read it, start there before your renewal conversation.

How to prepare for the conversation

The goal isn't to impress your insurer. It's to make sure the policy you're paying for will actually function when you need it. Here's how to prepare:

1. Document your controls before you apply. Create a one-page summary of your security posture: MFA status across all systems, backup schedule and test results, patch management process, training program details, incident response plan location and last review date. This document serves two purposes — it gives your broker accurate information for underwriting, and it becomes your reference if a claim is ever disputed.

2. Get MFA deployed before your application or renewal. This isn't negotiable in 2026. Coalition's data shows that policyholders without MFA on remote access pay 30-50% higher premiums and face significantly higher claim denial rates. Deploy MFA on email, VPN, cloud admin consoles, and any remote access tools. Do it before the application, not after.

3. Ask about exclusions explicitly. Don't wait to discover them in a claim review. Ask your broker: What's excluded under the acts of war clause? Does the policy cover social engineering losses? Is there a sublimit on ransomware payments? What security controls must be maintained for coverage to apply? Get the answers in writing.

4. Understand your sublimits. A $5 million cyber policy doesn't mean you have $5 million available for every type of loss. Most policies have sublimits — separate caps for specific categories like ransomware, business interruption, or regulatory fines. A policy with a $5 million aggregate limit might have a $500,000 sublimit on ransomware payments and a $250,000 sublimit on social engineering losses. Those sublimits are where most coverage surprises happen.

5. Review the incident response requirements. Many policies require you to use the insurer's approved incident response vendor, notify the insurer within a specific timeframe (often 24-72 hours), and follow specific procedures during an incident. If you hire your own forensics team without insurer approval, the costs may not be covered. If you understand what happens in the first 48 hours of an incident, these requirements will make more sense — I wrote about that timeline in what happens when you get hacked.

6. Write a cybersecurity policy if you don't have one. Insurers increasingly require a written security policy as a condition of coverage. It doesn't have to be 100 pages — a clear, enforceable document that defines your security standards, employee responsibilities, and incident procedures is sufficient. I wrote a practical guide for companies building their first one: how to write a cybersecurity policy without a security team.

What drives your premium

Cyber insurance premiums are calculated based on risk factors that are more transparent than most business owners realize. Understanding them gives you leverage in the conversation.

Industry. Healthcare, financial services, and legal firms pay higher premiums because they handle regulated data with higher per-record breach costs. A retail business and a healthcare practice of the same size will pay meaningfully different premiums.

Revenue. Premiums scale with revenue because revenue correlates with data volume, transaction volume, and potential business interruption losses.

Security posture. This is where you have the most control. Documented controls — MFA, EDR, backup testing, employee training, patching cadence — directly reduce your premium. Some insurers offer specific discounts for verified controls.

Claims history. A prior claim increases premiums, but a prior claim with documented response and remediation is better than a prior claim with no evidence of improvement.

Data types. Companies that store payment card data, protected health information, or biometric data face higher premiums because the regulatory and litigation costs per breached record are higher.

Before AI / Now with AI

Before AI, cyber insurance underwriting was based on historical claim data and relatively stable attack patterns. Premiums were calculated against known threat categories — phishing, ransomware, insider threats — with actuarial models built on years of consistent data. The conversations were simpler: do you have a firewall, do you have backups, do you have antivirus. The policies were simpler too.

Now with AI, the entire risk landscape is shifting faster than actuarial models can adapt. Three developments are changing the conversation:

Attack sophistication and frequency are accelerating. AI-powered phishing campaigns generate personalized, grammatically perfect social engineering at scale. Deepfake audio and video are being used to impersonate executives in real-time. The FBI's Internet Crime Complaint Center reported a 45% increase in AI-facilitated fraud attempts in 2025. For insurers, this means higher claim frequency and higher average claim severity — which translates directly to higher premiums across the board.

Insurers are adding AI-specific requirements. Some underwriters now ask whether your organization has policies governing employee use of generative AI tools, whether proprietary data has been uploaded to public AI platforms, and whether AI is used in any customer-facing decision-making that could create regulatory liability. These aren't curiosity questions — they're becoming coverage conditions. Organizations without AI usage policies may face coverage restrictions or higher premiums.

Deepfake and social engineering coverage is a moving target. The rise of AI-generated voice and video impersonation has created a category of fraud that doesn't fit neatly into traditional cyber policy definitions. An employee deceived by a deepfake CFO video call into wiring funds isn't a "cyber attack" in the traditional sense — it's social engineering enabled by AI. Some insurers cover it. Some explicitly exclude it. Some offer it as an endorsement for additional premium. This is the single most important exclusion to clarify in any 2026 policy conversation.

At Kief Studio, we help clients prepare for these conversations by documenting their security controls, implementing the baseline requirements insurers expect, and identifying policy gaps before renewal. The goal is never to sell you on fear — it's to make sure the coverage you're paying for will actually work.

The bottom line

Cyber insurance is a financial tool, not a security strategy. It doesn't prevent incidents — it helps you survive them financially. But it only works if the policy is built on accurate information, understood exclusions, and maintained controls.

Before your next renewal or application, do three things: document your current security controls honestly, deploy MFA everywhere your insurer will check, and ask your broker to walk you through every exclusion in the policy. Those three actions will do more for your actual coverage than any premium increase.

The conversation with your insurer shouldn't be adversarial. They want to insure businesses that take security seriously — those businesses file fewer claims. Show them you're one of those businesses, and the policy you get will be one that actually pays.

---

Related reading

• The Problem with Generic Tech Recommendations
• If the Recommendation Came Before the Questions, It's Not Advisory

Frequently Asked Questions

Is cyber insurance legally required?

Not in most jurisdictions — yet. However, many contracts, especially in healthcare, financial services, and government contracting, require proof of cyber insurance as a condition of doing business. Several states are considering legislation that would mandate minimum cyber coverage for companies handling personal data. Even without a legal mandate, the financial exposure of operating without coverage makes it functionally necessary for most businesses.

How much does cyber insurance cost for a small business?

Premiums vary widely based on industry, revenue, data types, and security posture. For a company with under $10 million in revenue and reasonable security controls in place, expect annual premiums between $1,500 and $7,000 for $1 million in coverage. Companies in regulated industries, or those with poor security posture or prior claims, can pay significantly more. The best way to reduce your premium is to document your controls before you apply.

What's the difference between cyber insurance and general liability?

General liability policies typically exclude cyber-related losses entirely. They cover bodily injury, property damage, and advertising injury — not data breaches, ransomware, business interruption from cyberattacks, or regulatory fines from data exposure. A general liability policy will not pay for incident response, breach notification, or customer lawsuits resulting from a data breach. You need a standalone cyber policy or a cyber endorsement for that coverage.

Does cyber insurance cover ransomware payments?

Many policies include ransomware coverage, but almost always with a sublimit that's lower than the overall policy limit. Some insurers are reducing or eliminating ransomware payment coverage due to rising claim costs, while others maintain it but require proof that the policyholder had adequate backups and security controls in place. The trend is toward covering the recovery costs from ransomware (forensics, restoration, business interruption) rather than the ransom payment itself.

What should I do if I've already been breached and don't have cyber insurance?

Contact a cybersecurity attorney and an incident response firm immediately — the sequence matters because attorney-client privilege can protect forensic findings from discovery in future litigation. Document everything. Then, once the incident is contained and remediated, apply for cyber insurance with full disclosure of the prior incident. A prior breach doesn't make you uninsurable — but a prior breach that you didn't disclose will.

How often should I review my cyber insurance policy?

Annually at minimum, and after any significant change to your technology environment, business model, or data handling practices. If you migrate to a new cloud provider, start processing a new type of sensitive data, deploy AI tools that access customer information, or expand into a new regulated market, review the policy to confirm coverage still applies. The most common gap is a policy that was accurate at inception but no longer reflects how the business actually operates.